[gin-auth] FW: DN imcompatibility issue
Cindy Zheng
zhengc at sdsc.edu
Mon Apr 24 18:59:31 CDT 2006
-----Original Message-----
From: Charles Bacon [mailto:bacon at mcs.anl.gov]
Sent: Monday, April 24, 2006 3:05 PM
To: zhengc at sdsc.edu
Cc: allcock at mcs.anl.gov; childers at mcs.anl.gov
Subject: Re: DN imcompatibility issue
On Apr 24, 2006, at 4:30 PM, Cindy Zheng wrote:
> Dear Bill,
>
> During our chat at PRAGMA10, I mensioned about DN
> imcompatibility issue we encountered in our Grid
> interoperation effort. Here is a detailed description
> http://goc.pragma-grid.net/gin/Cert-probs-GIN.pdf
> Would appreciate any comments and suggestions.
> I'm cc'ing to Lisa and Charles for comments as well.
This came up when we upgraded our version of OpenSSL back in mid-2004
in the 3.2 release of the Globus Toolkit. Here's the bug that was
opened about the issue: http://bugzilla.globus.org/bugzilla/
show_bug.cgi?id=575. The reporter, Keith Thompsen, also sent an
email at the same time: http://www-unix.globus.org/mail_archive/
security/2004/10/msg00000.html
The issue arises when an OID (like 0.9.2342.19200300.100.1.1) doesn't
have a canonical mapping to a human-readable string like "UID". The
RFC quoted in the paper mentions that UID is preferred to USERID, but
that doesn't address the other problematic RDNs like serialNumber and
emailAddress.
There are two approaches the community at large has taken. One is to
standardize on a particular version of the openssl libraries - for
instance, we have used 0.97c for a while. This is mentioned in the
conclusion when the author mentions upgrading the ASN.1 encoding used
by the VOMS Admin. The other approach is to allow flexibility in the
interpretation of the RDN, which is referred to in the paper as "The
hack". Adding both USERID and UID versions of the DN to the grid-
mapfile (or equivalent) and CA signing policy files allow the OID
blob to be rendered to text either way. I believe this is the
approach taken by TeraGrid and the gx-map tool. Here's an example
pair of entries in their grid-mapfile:
"/C=US/O+UTAustin/OU=TACC/CN= Chris Gilpin/UID=tg456958" cgilpin
"/C=US/O+UTAustin/OU=TACC/CN= Chris Gilpin/USERID=tg456958" cgilpin
And in the signing policy for that CA:
# TACC CA signing Policy
access_id_CA X509 '/C=US/O=UTAustin/OU=TACC/CN=TACC
Certification
Authority/USERID=caman'
pos_rights globus CA:sign
cond_subjects globus '"/C=US/O=UTAustin/OU=TACC/*"'
access_id_CA X509 '/C=US/O=UTAustin/OU=TACC/CN=TACC
Certification
Authority/UID=caman'
pos_rights globus CA:sign
cond_subjects globus '"/C=US/O=UTAustin/OU=TACC/*"'
I hope this helps,
Charles
More information about the gin-auth
mailing list